Stirling and District Classic Car Club
(hereinafter referred to as ‘the Club’)
General Data Protection Regulations Policies and Procedures
[click here for confidentiality document]
Club officials are the members of the Club committee, or can be an ordinary member carrying out a specific role or task for the Club.
- The four Club directors, who are the chairman, the vice chairman, the treasurer and the secretary have been briefed and have approved the Club’s GDPR policy. GDPR forms a regular part of the Club’s bi-annual committee meetings agenda to discuss issues arising, updates and changes that may be required.
- The content of this policy is available to read on the public side of the Club’s website.
- Club officials may not have access to member’s data without first signing the Club’s GDPR confidentiality agreement indicating that they understand and will comply with these rules. Copies will be retained by the Club’s Data Protection Controller. In addition guidance will be provided for the use of member’s data on their own computer to ensure its continuing confidentiality.
- Members Data is stored purely for the use of the Club in administering the Club’s membership services and events and in the distribution of its newsletter, membership cards, annual programme, events tickets and passes, and annual copies of the SVVF yearbook.
- It is not passed on to other organisations for commercial or any other purpose, with the exception that members who are participating in events, and where the information is necessary, will have their details passed to event organisers, hotels, transport providers etc. This will be limited to the information provided by the member for participation in the event.
- The Club stores the following personal information:- Members name or in the event of a joint membership both names, postal address and postcode, telephone number(s), E-mail address, membership number and fee paid or due, and cars owned where given.
- This information is stored on the Membership secretary’s computer with recognised anti-virus protection and backed up with a paper copy in the form of a membership book retained securely by the Membership secretary.
- In order that officials may contact members to inform them of activities the members’ database is available to the officials concerned. This information is only released following the receipt of a signed copy of the Club Data Confidentiality Agreement which is retained by the Data Controller.
- The regular data processors roles are the Chairman, the Membership secretary, the SVVF programme distribution co-ordinator, the External events co-ordinator, the Newsletter production and distribution co-ordinator, the Club treasurer, and the Club’s own annual show workforce roles co-ordinator.
- Data is distributed to officials via email for storage on their own computer, which must be protected by anti-virus software.
- Personal data will be destroyed two years after cessation of membership, unless a member or former member requests destruction at an earlier date. Names of former members may be retained for interest and archive reasons along with their period of membership and any awards or positions they may have held.
- Officials must undertake to return or destroy any information they hold when they cease to hold office or when it becomes not necessary for them to retain.
- Officials must undertake to return or destroy information deemed as out of date by the Club and when further current information about the membership is distributed.
The GDPR includes the following rights for individuals:- The right to be informed, to access, to rectification, to erasure, to restrict processing, to object. A request for further information on the above rights may be made to the Data Controller. Where a member requests that their total data information be deleted it will be done at the discretion of the Data Controller, following receipt of legal advice, if other issues are involved.
Lawful basis for processing personal data
- The Club only stores and processes personal data for the administration of Club membership and activities. Therefore no consent is sought for the use of this data, as it is assumed and expected that is why the member is joining the club.
- Should a member wish to be a member but not receive the Club newsletter, membership card, event information etc. they may inform the Data Controller that they wish their relevant data to be removed from the database.
- The processing of data of a child is lawful where the child is at least sixteen years old.
- Where a child is below the age of sixteen years consent must be given or authorised by the holder of parental responsibility over the child.
- The Data Controller shall make reasonable efforts to verify that consent is from the holder of parental responsibly for that child.
Data Protection and Breaches
- The Club is aware of its obligations to prevent data breaches and operates a secure system for data storage and transfer.
- Responsibility for Club member’s data security lies with all Club officials who are in possession of it, in addition a Data Protection Controller has been designated to oversee what data is stored, how it is processed and used.
- The Data Controller must always be informed of any data breach and in such cases a review will be carried out to investigate how the breach occurred and how future breaches will be prevented. The review will also consider if it is necessary to inform the individuals whose data is involved.
Updates and Review
- This policy and procedures guidance will be reviewed minimally on an annual basis during the Club’s Committee meetings, or at such time as events and experience dictate in order to ensure the Club’s continued compliance with GDPR.
- If you have any queries about this guidance or wish to exercise your rights under the regulations please contact the Club Data Controller.
Officials Data Storage Guidance
- Your computer must be equipped with up to date anti-virus software.
- You must access Club data via a password known only to you.
- You must store Club data away from personal data to avoid accidental distribution.
- If you lose your computer or suspect data has been stolen from it you must inform the Data controller immediately.
- When data is updated you must destroy all previous data.
- When emailing out in numbers you must ensure you use blind copy only for all recipients.
- If you are contacted by a member (or other person) asking for contact details, you must refuse –but you may offer, on informing the enquirer, that you will pass their details on.
- Under no circumstances should data be passed to a commercial organisation unless it is required to participate in an event, and then only the information supplied by the participant.
- Please be aware that correspondence and emails written or received by you can be requested to be viewed by the person(s) who are the subject matter under the regulations.
- You should also be aware that where an individual has abused or lost information supplied to them the Information Commissioners Office has prosecuted that individual under the regulations.